如何在不使用Google应用的情况下授权Google云端硬盘服务帐户访问Google帐户?
我想使用Google云端硬盘作为我正在制作的网站的准CMS,以便内容所有者可以使用Google云端硬盘编辑其内容。我希望使用可访问Google云端硬盘的特定用户帐户(截至撰写本文后,服务帐户无法直接访问Google云端硬盘),并且能够与内容所有者共享文档。
I'd like to use Google Drive to work as a quasi-CMS for a website I'm making so that the content owners can edit their content using Google Drive. I'd like to use a specific user account that has access to Google Drive (as of writing this post, service accounts DO NOT have direct access to Google Drive) and is able to share documents with the content owners.
阅读API和教程后,我在代表团找到了答案: https://developers.google.com/drive/delegation
After reading through the API and tutorials, I have found the answer in delegation: https://developers.google.com/drive/delegation
这个流程的主要问题在于该网站不受Google Apps管理,因此,为服务帐户授权域名权限中列出的步骤使我感到困惑 - 似乎应该可以在不使用Google Apps的情况下处理此授权,但在Google Drive中搜索特定用户帐户后,我似乎无法找到授权模仿的能力。
My main issue with this process is that the website is not managed by Google Apps and therefore the steps outlined in 'Delegate domain-wide authority to your service account' confuse me - it seems like it should be possible to handle this delegation without using Google Apps, but after searching through the settings in Google Drive for my specific user account, I can't seem to find the ability to authorize impersonation.
我使用的代码片段:
A snippet of the code I'm using:
static public function getService() {
$key = file_get_contents(GOOGLEAPI_KEYFILE);
$auth = new Google_AssertionCredentials(GOOGLEAPI_SERVICE_EMAIL, array(GOOGLEAPI_SCOPE), $key);
$auth->setPrn(GOOGLEAPI_IMPERSONATION);
self::$apiClient = new Google_Client();
self::$apiClient->setUseObjects(true);
self::$apiClient->setAssertionCredentials($auth);
return new Google_DriveService(self::$apiClient);
}
GOOGLEAPI_IMPERSONATION 是特定的用户帐户,当我运行此代码时,异常状态为:
GOOGLEAPI_IMPERSONATION is the specific user account and when I run this code, the exception states:
刷新OAuth2令牌时出错,消息:'{error access_denied}
Error refreshing the OAuth2 token, message: '{ "error" : "access_denied" }
任何人提供任何帮助?我是否误解了oAuth在授权方面的工作原理?
Anyone offer any assistance? Am I misunderstanding a fundamental concept of how oAuth works in terms of delegation?
服务帐户适用于两种不同的情况:
Service accounts are meant for two different cases:
- 授权应用程序/进程进行身份验证&使用自己的身份调用服务。考虑预测,云存储等服务,数据由应用程序拥有。
- 假冒Google Apps域中的用户,域管理员可以预先授权应用程序执行操作代表他们的域中的用户。
冒充适用于Google Apps域名,因为管理员可以通过控制面板为其用户授权带外应用。当然,他们只能授权应用程序访问他们管理的帐户的数据。对于不属于组织的个人用户,应用程序需要使用正常的OAuth流程来请求来自每个用户的授权。
Impersonation works for Google Apps domains because the admins have a mechanism to authorize the app out of band for their users via the control panel. Of course they can only authorize the app to access the data for the accounts they managed. For individual users not part of an organization, apps need to use the normal OAuth flows to request authorization from each user.
我暂时没有测试过它,但最后我检查了它可以使用Drive作为自己的服务帐户。我遇到的唯一限制是无法购买额外的配额,并且该应用仅限于最初的5GB免费存储。
I haven't tested it in a while, but last I checked it is possible to use Drive with a service account acting as itself. The only limitation I ran into was it wasn't possible to purchase additional quota and the app was limited to the initial 5gb free storage.